US20060280296A1 - Cryptographic method and system for encrypting input data - Google Patents
Cryptographic method and system for encrypting input data Download PDFInfo
- Publication number
- US20060280296A1 US20060280296A1 US11/431,552 US43155206A US2006280296A1 US 20060280296 A1 US20060280296 A1 US 20060280296A1 US 43155206 A US43155206 A US 43155206A US 2006280296 A1 US2006280296 A1 US 2006280296A1
- Authority
- US
- United States
- Prior art keywords
- point
- representation
- random
- input
- position value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7228—Random curve mapping, e.g. mapping to an isomorphous or projective curve
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Definitions
- Example embodiments of the present invention relate in general to a cryptographic method and system for encrypting data.
- crypto-algorithms include public key algorithms such as the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithm, and symmetric key algorithms, for example, those based on the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).
- RSA Rivest-Shamir-Adleman
- ECC Elliptic Curve Cryptography
- DES Data Encryption Standard
- AES Advanced Encryption Standard
- SCA Side-Channel Analysis
- DFA Different Faults Analysis
- DPA Differential Power Analysis
- SCA Differential Power Analysis
- known countermeasure techniques based on the randomization of secret exponent and employed.
- these known techniques are relatively poor in responding to a special chosen-message power analysis attack.
- To counter this chosen-message power analysis attack it is possible to use the well-known randomization of input messages.
- FIG. 1 illustrates a conventional scalar multiplication process.
- an input point is received at operation S 11 , and then a point representation is selected and changed at operation S 12 .
- the point representation of the input point is an Affine representation
- the point representation is changed to a Projective representation, and then a scalar multiplication operation is performed in the chosen point representation of operation S 13 .
- An affine representation of a topological (Lie) group G is a continuous (smooth) homomorphism (e.g., structure-preserving map between two algebraic groups, for example, groups or vector spaces) G to the automorphism group of an affine space A.
- An automorphism is an isomorphism from a mathematical object to itself or a symmetry of the object, and a way of mapping the object to itself while preserving all its structure; the set of all automorphisms of an object is the automorphism group, or “symmetry group” of the object.
- a projective representation is a homomorphism from G to Aut( ⁇ )/K x , where K x is the normal subgroup of Aut( ⁇ ) consisting of multiplications of vectors in ⁇ by nonzero elements of K (e.g., scalar multiples of the identity), and Aut( ⁇ ) represents the automorphism group of the vector space underlying ⁇ .
- an encrypted point is generated by the scalar multiplication operation of a secret key and the input point based on an ECC algorithm.
- the scalar multiplication operation can be iterated for a plurality of rounds to fit a system specification.
- a point representation of the encrypted point is changed to another point representation (e.g., Affine representation) at operation S 14 .
- An output point obtained by changing the point representation of the encrypted point to the original point representation is output (S 15 ) to a post-processor for sign/verification.
- An example embodiment of the present invention is directed to a method for encrypting input data.
- a method in accordance with example embodiments may include receiving an input point and a randomness rate and generating a random selection value and a random position value from the randomness rate.
- At least one of the input point and points encrypted by performing elliptic curve (EC) operation over a plurality of rounds may be randomly selected based on the randomness rate and the random position value, The selected point may be converted to a point representation directed by the random selection value.
- a finally encrypted output point may be generated by performing the EC operation over a plurality of rounds based on the input point and a secret key.
- EC elliptic curve
- a system in accordance with example embodiments may include a scalar multiplication unit adapted to randomly select, based on a randomness rate and a random position value, at least one of an input point and points encrypted by elliptic curve (EC) operation over a plurality of rounds.
- the scalar multiplication unit may be adapted to generate a finally encrypted output point by performing the EC operation over a plurality of rounds based on the input point and a secret key.
- a system in accordance with example embodiments may include a random number generator adapted to generate a random selection value and the random position value from the randomness rate.
- a system in accordance with example embodiments may include a point representation converter adapted to generate the changed point by converting the selected point to a point representation directed by the random selection value.
- Another example embodiment of the present invention is directed to a cryptographic system which includes a plurality of elliptic curve (EC) operation units, a plurality of point representation converters and a random number generator.
- the plurality of EC operation units may be adapted to perform an EC operation based on an input point and a secret key in every round.
- Each of the plurality of point representation converters is located before and after the plurality of EC operation units, and may be adapted to randomly select, based on a randomness rate and a random position value, at least one of an input point and points encrypted by EC operation.
- Each of the point representation converters may be adapted to convert the selected point to a point representation directed by a random selection value, and to output the converted point to an EC operation unit in a subsequent round.
- the random number generator may be adapted to generate the random selection value and the random position value from the randomness rate.
- FIG. 1 illustrates a conventional scalar multiplication process.
- FIG. 2 is a flowchart illustrating a method for encrypting input data according to an example embodiment of the present invention.
- FIG. 3 is a block diagram of a cryptographic system implementing the method of FIG. 2 , according to an example embodiment of the present invention.
- FIG. 4 is a block diagram of a cryptographic system implementing the method of FIG. 2 , according to another example embodiment of the present invention.
- An example embodiment of the present invention is directed to a cryptographic method which may reduce the efficiency of power analysis attacks by increasing entropy in power tracks using a random point representation, so as to reduce and/or minimize the leakage of useful information from the power tracks.
- Another example embodiment of the present invention is directed to a cryptographic system for implementing an example method.
- the elliptic curve can be used over a prime finite field GF(p) or a binary finite field GF(2 n ).
- GF( ) denotes a Galois field (e.g., a finite field with p n elements, where p is a prime integer)
- the prime finite field is a field containing a prime number of elements
- the binary finite field is a field containing 2 n elements.
- the present example embodiment is related to elliptic curve cryptography (ECC) based on the binary finite field.
- ECC elliptic curve cryptography
- the present example embodiment is not limited to ECC based on the binary finite field. It will be understood by those skilled in the art that the present example embodiment can be applied to the prime finite field ECC by performing a modification and may also be applied to any well-known crypto-algorithm.
- the elliptic curves have a point addition operation to which is included a partial case, a point doubling operation.
- the scalar point multiplication is based on the point operations, which in turn are based on the finite field operations: multiplication in the finite field, addition in the finite field and square in the finite field.
- Equation 1 For the Ordinary Projective coordinates in GF(2 n ), Equation 1 can be transformed to Equation 5 where x, y and z represent coordinates on the elliptical curve and ⁇ is a non-zero constant.
- Equation 6 The relation between Equations 1 and 5 can be shown in Equation 6.
- Equation 1 For Jacobian Projective coordinates in GF(2 n ), Equation 1 can be transformed to Equation 7. The relation between Equations 1 and 7 can be described in Equation 8.
- Equation 1 can be transformed to Equation 9.
- Equation 9 The relation between Equations 1 and 9 can be described in Equation 10.
- the Weierestrass form of an elliptic curve representation is the most widely used in cryptographic applications and can be summarized as shown in Table 1 for quick conversion of the point representation.
- Table 1 A(x,y) denotes the Affine representation
- P(X,Y,Z) denotes the Ordinary Projective representation
- J(X,Y,Z) denotes the Jacobian Projective representation
- L(X,Y,Z) denotes the Lopez-Dahab Projective representation.
- Equation 11 if n is odd, then Equation 12 is achieved, thereby satisfying Equation 13.
- Equation 11 if ⁇ 2 (n ⁇ 1)/2 ⁇ 1 has been computed by ignoring the cost of squaring, it takes only one multiplication to evaluate the inverse operation (Equation 11).
- 2 n ⁇ 1 ⁇ 1 (2 (n ⁇ 1)/2 ⁇ 1)(2 (n ⁇ 1)/2 +1) (12)
- ⁇ 2 n ⁇ 1 ⁇ 1 ( ⁇ 2 (n ⁇ 1)/2 ⁇ 1 ) 2 (n ⁇ 1)/2 +1 (13)
- DPA Differential Power Analysis
- DPA attacks exploit variations in power consumption that are correlated to the data values being manipulated. These variations are typically much smaller than those associated with different instruction sequences, and therefore may be obfuscated by noise and measurement errors.
- Statistical methods are used on a collection of power tracks in order to reduce the noise and strengthen the differential analysis.
- a scalar multiplication is protected with an SPA-resistant method, for example, “Always double-and-add” and/or by a DPA-resistant method, for example, randomized projective coordinates, randomized elliptic curves or randomized field representations, for example, the scalar multiplication may still be vulnerable to a DPA attack in situations where a cryptanalyst can select the base point representation.
- an SPA-resistant method for example, “Always double-and-add” and/or by a DPA-resistant method, for example, randomized projective coordinates, randomized elliptic curves or randomized field representations
- values in a power track may be randomly changed by randomly changing the point representation during a scalar multiplication process.
- a scalar multiplication process in which the EC operation is executed over a plurality of rounds, encrypted points of randomly selected rounds may be converted to other points and processed.
- FIG. 2 is a flowchart illustrating a scalar multiplication operation to encrypt an input point P according to an example embodiment of the present invention.
- a cryptographic system receives the input point P and a randomness rate r at S 41 .
- the input point P may represent input data to be encrypted, and the randomness rate r denotes a value for controlling a randomization level of the point representation during the scalar multiplication process.
- the randomness rate r can be set between 0 to 100% by a user.
- a randomness rate r of 100% indicates that all of input and output points in the EC operation over a plurality of rounds are to be changed to different point representations.
- a randomness rate r of 60% indicates that only 60% of the input and output points in the EC operation over a plurality of rounds are to be changed to different point representations. Positions at which the input and output points are changed to the different point representations may be randomly determined.
- the cryptographic system sets the received input point P to Q 0 (S 42 ), and as shown in S 43 through S 48 , a finally encrypted output point Q may be generated by performing the EC operation over a plurality of rounds, and by randomly selecting the changed positions of the point representations.
- the cryptographic system receives a random position value r 1 generated by a random number generator 220 ( FIG. 3 ) at S 43 , and compares the received random position value r 1 with the randomness rate r (S 44 ).
- the random position value r 1 is randomly generated within a range of the randomness rate r in every round.
- the cryptographic system If the randomness rate r is equal to or less than the random position value r 1 of S 44 , the cryptographic system generates an encrypted point Q i by performing the EC operation of a subsequent round without a representation change of a point Q i ⁇ 1 encrypted in the EC operation of a previous round (S 45 ).
- the secret key k is generated by a given key generator, and the domain parameters a,b,n can be received from a given protected non-volatile memory.
- the cryptographic system receives a random selection value r 2 generated by the random number generator 220 and generates a changed point (S 47 ) by converting the point Q i ⁇ 1 encrypted in the EC operation of the previous round to a point representation directed by the random selection value r 2 .
- the random selection value r 2 is generated to randomly select one of the plurality of point representations shown in Table 1 in each round. In this case, the cryptographic system generates the encrypted point Q i by applying the point representation-converted point to a subsequent round (S 45 ).
- FIG. 3 is a block diagram of a cryptographic system 200 implementing the method of FIG. 2 according to an example embodiment of the present invention.
- the cryptographic system 200 may include a scalar multiplication unit 210 configured to receive the input point P and the randomness rate r (see S 41 ).
- the system 200 may include a random number generator 220 configured to randomly generate the random position value r 1 and the random selection value r 2 from the randomness rate r in every round.
- the scalar multiplication unit 210 may be adapted or configured to compare (S 44 ) the randomness rate r with the random position value r 1 and to select the input point P. If the randomness rate r is greater than the random position value r 1 (output of S 44 is ‘YES’), then the input point P selected by the scalar multiplication unit 210 is output to a point representation converter 230 which is adapted to change its point representation.
- the point representation converter 230 may be adapted to generate a changed point Q i ′ by converting an input point Q i selected by the scalar multiplication unit 210 (S 47 ) to a point representation directed by the random selection value r 2 .
- the scalar multiplication unit 210 generates the encrypted output point Q by performing the EC operation based on the changed point Q i ′ and a secret key of a corresponding round (S 45 ). If the randomness rate r is equal to or less than the random position value r 1 (output of S 44 is ‘NO’), the scalar multiplication unit 210 generates the encrypted output point Q by performing the EC operation at S 45 based on a point presentation of a previous round without the point representation change.
- the scalar multiplication unit 210 compares the randomness rate r with the random position value r 1 , determines whether to change a point representation, selects a point before or after a corresponding round, and outputs the selected point to the point representation converter 230 .
- the point representation converter 230 may be configured so as to be “shared” to randomly convert the point representation, both before the EC operation and after the EC operation (S 47 ) in every round.
- the scalar multiplication unit 210 randomly selects at least one of the input point P and points encrypted by the EC operation over a plurality of rounds, and applies a point obtained by changing a representation of the selected point to a subsequent round.
- the change of the point representation may be determined based on the randomness rate r and the random position value r 1 generated by the random number generator 220 in every round.
- the kind or type (see Table 1) of the changed point representation may be determined based on the random selection value r 2 generated by the random number generator 220 in every round.
- FIG. 4 is a block diagram of a cryptographic system 300 implementing the cryptographic method of FIG. 2 according to another example embodiment of the present invention.
- the system 300 may include a plurality of EC operation units 211 , 212 , 213 , . . . and a plurality of point representation converters 231 , 232 , 233 , etc.
- the random number generator 220 shown in FIG. 3 is also included but not shown for purposes of clarity.
- each given point representation converter 231 , 232 , 233 , etc. is located before and after a corresponding, given EC operation of each round.
- the system 300 receives the input point P and the randomness rate r (see S 41 of FIG. 2 ).
- the random position value r 1 and the random selection value r 2 are randomly generated by the random number generator 220 from the randomness rate r in every round.
- a first point representation converter 231 compares the randomness rate r with the random position value r 1 before a first EC operation unit 211 (see S 44 of FIG. 2 ) and selects the input point P if the randomness rate r is greater than the random position value r 1 (output of S 44 is ‘YES’).
- the first point representation converter 231 generates a changed point (S 47 ) by converting the selected input point P to a point representation directed by the random selection value r 2 .
- the first EC operation unit 211 generates an encrypted output point Q 1 by performing the EC operation based on the changed point and a secret key k of a corresponding round.
- the first point representation converter 231 outputs the input point P to the first EC operation unit 211 without the point representation change.
- the first EC operation unit 211 generates the encrypted output point Q 1 at S 45 by performing the EC operation based on the input point P and the secret key k of the corresponding round.
- each of the remaining point representation converters 232 , 233 , . . . compares the randomness rate r with the random position value r 1 , determines whether to change a point representation, selects a point before or after a corresponding round, and converts the selected point to a point representation as directed by the random selection value r 2 . According to the conversion, each of the point representation-changed points Q 1 ′, Q 2 ′, . . .
- Each corresponding EC operation unit performs the EC operation based on a point representation-changed or non-changed point and a corresponding secret key, which are input in every round.
- the change of the point representation is determined based on the randomness rate r and the random position value r 1 generated by the random number generator in every round.
- the kind or type (see Table 1) of the changed point representation is determined based on the random selection value r 2 generated by the random number generator in every round.
- the cryptographic method and system may offer a powerful countermeasure against the DPA.
- “Affine,” “Ordinary Projective,” “Jacobian Projective” and “Lopez-Dahab Projective” point representations can be used.
- a program in accordance with example embodiments of the present invention may be a computer program product causing a computer to execute a method for encrypting input data by implementing the functionality as described in FIG. 2 , for example.
- the computer program product may include a computer-readable medium having computer program logic or code portions embodied thereon for enabling a processor of a system in accordance with example embodiments to perform one or more functions in accordance with an example methodology described above.
- the computer program logic may thus cause the processor to perform an example method, or one or more functions of an example method described herein.
- the computer-readable storage medium may be a built-in medium installed inside a computer main body or removable medium arranged so that it can be separated from the computer main body.
- Examples of the built-in medium include, but are not limited to, rewriteable non-volatile memories, for example, RAM, ROM, flash memories and hard disks.
- Examples of a removable medium may include, but are not limited to, optical storage media, for example, CD-ROMs and DVDs; magneto-optical storage media, for example, MOs; magnetism storage media, for example, floppy disks (trademark), cassette tapes, and removable hard disks; media with a built-in rewriteable non-volatile memory, for example, memory cards; and media with a built-in ROM, for example, ROM cassettes.
- These programs may also be provided in the form of an externally supplied propagated signal and/or a computer data signal embodied in a carrier wave.
- the computer data signal embodying one or more instructions or functions of an example methodology may be carried on a carrier wave for transmission and/or reception by an entity that executes the instructions or functions of an example methodology.
- the functions or instructions of the example method as shown in FIG. 2 may be implemented by processing one or more code segments of the carrier wave in a computer controlling one or more of the components of the example system in FIGS. 3 and/or 4 , where instructions or functions may be executed for encrypting data, in accordance with the example method outlined in any of FIGS. 2-4 .
- Such programs, when recorded on computer-readable storage media may be readily stored and distributed.
- the storage medium, as it is read by a computer may enable the encrypting of input data in accordance with an example method described herein.
- the cryptographic method and system according to example embodiments of the present invention can set a performance degradation level corresponding to the number of changed point representations in the scalar multiplication process, while increasing the complexity of a power analysis attack by masking power tracks in the EC operation, so as not to be distinguished.
- binary field ECC has been described in the above example embodiments, prime field ECC using an Extended Euclidian algorithm may be implemented with minor modifications, and in its implementation, may be configured to counter the Power Analysis attack.
- a cryptographic method and system can reduce the efficiency of DPA attacks by increasing entropy of power tracks based on randomly changed point representations. Also, since a user can control a randomness rate of the point representations, a performance degradation level and a security resistance level can be set. Accordingly, the cryptographic method and system may be applied to a crypto-system requiring robustness against DPA attacks and which also requires a high operation speed. In addition, the cryptographic method and system may be applicable to prime finite field ECC, through slight modifications and may be readily applied to any well-known crypto-algorithm.
- FIGS. 2-4 describing an example system and/or method may be implemented in hardware and/or software.
- the hardware/software implementations may include a combination of processor(s) and article(s) of manufacture.
- the article(s) of manufacture may further include storage media and executable computer program(s).
- the executable computer program(s) may include the instructions to perform the described operations or functions.
- the computer executable program(s) may also be provided as part of externally supplied propagated signal(s).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Computing Systems (AREA)
- Computational Mathematics (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
Abstract
Description
- This application claims the benefit of Korean Patent Application No. 10-2005-0039095, filed on May 11, 2005, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
- 1. Field of the Invention
- Example embodiments of the present invention relate in general to a cryptographic method and system for encrypting data.
- 2. Description of the Related Art
- To solve the problems in modern confidential data communications, hardware cryptographic systems based on known crypto-algorithms have become popular in an effort to continually growing performance requirements. These crypto-algorithms include public key algorithms such as the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithm, and symmetric key algorithms, for example, those based on the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).
- However, in addition to hardware-oriented crypto-systems, new crypto-analysis methods, for example, Side-Channel Analysis (SCA) have been developed. There are several different techniques for attacks on data communication systems, typically including Timing Analysis, Power Analysis, Electro-Magnetic Analysis, and Different Faults Analysis (DFA). It is known that these techniques can successfully attack the crypto-systems and obtain secret keys with less time and effort.
- Accordingly, developing countermeasures against crypto-analysis methods, for example, SCA is becoming an important task for the future. However, as ECC is a relatively recent branch of cryptography, there is scant literature describing how to counter the SCA for data protection systems adopting the ECC.
- For example, in Differential Power Analysis (DPA), which is a type of SCA, power tracks during a scalar multiplication operation are analyzed to obtain information on secret keys. To prevent leakage of information by the DPA, known countermeasure techniques based on the randomization of secret exponent and employed. However, these known techniques are relatively poor in responding to a special chosen-message power analysis attack. To counter this chosen-message power analysis attack, it is possible to use the well-known randomization of input messages.
-
FIG. 1 illustrates a conventional scalar multiplication process. Referring toFIG. 1 , in a conventional crypto-system, an input point is received at operation S11, and then a point representation is selected and changed at operation S12. For example, if the point representation of the input point is an Affine representation, the point representation is changed to a Projective representation, and then a scalar multiplication operation is performed in the chosen point representation of operation S13. - An affine representation of a topological (Lie) group G is a continuous (smooth) homomorphism (e.g., structure-preserving map between two algebraic groups, for example, groups or vector spaces) G to the automorphism group of an affine space A. An automorphism is an isomorphism from a mathematical object to itself or a symmetry of the object, and a way of mapping the object to itself while preserving all its structure; the set of all automorphisms of an object is the automorphism group, or “symmetry group” of the object.
- In mathematics, for example, in group theory, if G is a group and P is a vector space over a field K, then a projective representation is a homomorphism from G to Aut(ρ)/Kx, where Kx is the normal subgroup of Aut(ρ) consisting of multiplications of vectors in ρ by nonzero elements of K (e.g., scalar multiples of the identity), and Aut(ρ) represents the automorphism group of the vector space underlying ρ.
- As is well known, an encrypted point is generated by the scalar multiplication operation of a secret key and the input point based on an ECC algorithm. The scalar multiplication operation can be iterated for a plurality of rounds to fit a system specification. When the scalar multiplication operation is complete, a point representation of the encrypted point is changed to another point representation (e.g., Affine representation) at operation S14. An output point obtained by changing the point representation of the encrypted point to the original point representation is output (S15) to a post-processor for sign/verification.
- In the conventional crypto-system configured to resist DPA attacks, secret key masking or input point masking can be used. However, in the conventional crypto-system, since a complex scalar multiplication operation is duplicated for a plurality of rounds in parallel, this may lead to an increase in costs and a considerable reduction in performance. Accordingly, it may not be feasible to apply the conventional crypto-system to a plurality of actual applications.
- An example embodiment of the present invention is directed to a method for encrypting input data. A method in accordance with example embodiments may include receiving an input point and a randomness rate and generating a random selection value and a random position value from the randomness rate. At least one of the input point and points encrypted by performing elliptic curve (EC) operation over a plurality of rounds may be randomly selected based on the randomness rate and the random position value, The selected point may be converted to a point representation directed by the random selection value. A finally encrypted output point may be generated by performing the EC operation over a plurality of rounds based on the input point and a secret key.
- Another example embodiment of the present invention is directed to a cryptographic system for encrypting input data. A system in accordance with example embodiments may include a scalar multiplication unit adapted to randomly select, based on a randomness rate and a random position value, at least one of an input point and points encrypted by elliptic curve (EC) operation over a plurality of rounds. The scalar multiplication unit may be adapted to generate a finally encrypted output point by performing the EC operation over a plurality of rounds based on the input point and a secret key. A system in accordance with example embodiments may include a random number generator adapted to generate a random selection value and the random position value from the randomness rate. A system in accordance with example embodiments may include a point representation converter adapted to generate the changed point by converting the selected point to a point representation directed by the random selection value.
- Another example embodiment of the present invention is directed to a cryptographic system which includes a plurality of elliptic curve (EC) operation units, a plurality of point representation converters and a random number generator. The plurality of EC operation units may be adapted to perform an EC operation based on an input point and a secret key in every round. Each of the plurality of point representation converters is located before and after the plurality of EC operation units, and may be adapted to randomly select, based on a randomness rate and a random position value, at least one of an input point and points encrypted by EC operation. Each of the point representation converters may be adapted to convert the selected point to a point representation directed by a random selection value, and to output the converted point to an EC operation unit in a subsequent round. The random number generator may be adapted to generate the random selection value and the random position value from the randomness rate.
- Example embodiments of the present invention will become more fully understood from the detailed description given herein below and the accompanying drawings, wherein like elements are represented by like reference numerals, which are given by way of illustration only and thus are not limitative of example embodiments therein.
-
FIG. 1 illustrates a conventional scalar multiplication process. -
FIG. 2 is a flowchart illustrating a method for encrypting input data according to an example embodiment of the present invention. -
FIG. 3 is a block diagram of a cryptographic system implementing the method ofFIG. 2 , according to an example embodiment of the present invention. -
FIG. 4 is a block diagram of a cryptographic system implementing the method ofFIG. 2 , according to another example embodiment of the present invention. - An example embodiment of the present invention is directed to a cryptographic method which may reduce the efficiency of power analysis attacks by increasing entropy in power tracks using a random point representation, so as to reduce and/or minimize the leakage of useful information from the power tracks. Another example embodiment of the present invention is directed to a cryptographic system for implementing an example method.
- An elliptic curve E is a set of points (x,y) which satisfy the elliptic curve equation (Equation 1) in the Weierstrass form where αn(n=1,2,3, . . . ) is a non-zero constant:
E: y 2+α1 xy+α 3 y=x 3+α2 x 2+α4 x+α 6. (1) - For cryptographic applications, the elliptic curve can be used over a prime finite field GF(p) or a binary finite field GF(2n). Here, GF( ) denotes a Galois field (e.g., a finite field with pn elements, where p is a prime integer), the prime finite field is a field containing a prime number of elements, and the binary finite field is a field containing 2n elements.
- The present example embodiment is related to elliptic curve cryptography (ECC) based on the binary finite field. However, the present example embodiment is not limited to ECC based on the binary finite field. It will be understood by those skilled in the art that the present example embodiment can be applied to the prime finite field ECC by performing a modification and may also be applied to any well-known crypto-algorithm.
- If n≧1, then there is a unique field GF(2n) with 2n elements. For the binary finite field case, Equation 1 may be changed to Equation 2:
- The elliptic curves have a point addition operation to which is included a partial case, a point doubling operation. For example, to get to the resultant point R=P+Q=(x3,y1)from two input points P=(x1,y1) and Q=(x2, y2), the next finite field operation (Equation 3) in the binary finite field GF(2n) is requested:
- For the point doubling operation (P=Q), the next finite field operation (Equation 4) is performed in the binary finite field GF(2n):
- The main operation in ECC is a scalar point multiplication which consists of computing Q=k·P=P+P+ . . . +P (k times), where k is a secret key. The scalar point multiplication is based on the point operations, which in turn are based on the finite field operations: multiplication in the finite field, addition in the finite field and square in the finite field. A related operation is the discrete logarithm, which consists in computing k from P, where Q=k·P.
- There are several different possible representations of the point (dot) on the elliptic curve besides the Affine representation (used in the above equations), for example, an Ordinary Projective representation, a Jacobian Projective representation, a Lopez-Dahab Projective representation, etc. As these representations are known mathematical or algebraic representations, a detailed discussion thereof is limited for purposes of brevity. Each of the representations may have its own advantages, for example, improved performance, resistance to certain types of attacks, or may be a system which may be more easily built.
- For the Ordinary Projective coordinates in GF(2n), Equation 1 can be transformed to Equation 5 where x, y and z represent coordinates on the elliptical curve and α is a non-zero constant. The relation between Equations 1 and 5 can be shown in Equation 6.
- For Jacobian Projective coordinates in GF(2n), Equation 1 can be transformed to Equation 7. The relation between Equations 1 and 7 can be described in Equation 8.
- For the Lopez-Dahab Projective coordinates in GF(2n), Equation 1 can be transformed to Equation 9. The relation between Equations 1 and 9 can be described in Equation 10.
- The Weierestrass form of an elliptic curve representation is the most widely used in cryptographic applications and can be summarized as shown in Table 1 for quick conversion of the point representation. In Table 1, A(x,y) denotes the Affine representation, P(X,Y,Z) denotes the Ordinary Projective representation, J(X,Y,Z) denotes the Jacobian Projective representation, and L(X,Y,Z) denotes the Lopez-Dahab Projective representation.
TABLE 1 Point Conversion A(x, y) P(X, Y, Z) J(X, Y, Z) L(X, Y, Z) A(x, y) (x, y) (x, y, 1) (x, y, 1) (x, y, 1) P(X, Y, Z) (X, Y, Z) (X · Z, Y · Z2, Z) (X, Y · Z, Z) J(X, Y, Z) (X, Y, Z) L(X, Y, Z) (X · Z, Y · Z, Z) (X, Y, Z) - An inverse operation of an element in the EC operation in the binary finite field is achieved as described below. That is, there is known a method of computing an inverse operation of an element in GF(2n) by minimizing the number of multiplications. For example, if αεGF(2n), α≠0, then
Equation 11 is satisfied.
α−1=α2n −2=(α2n−1 −1)2 (11) - In
Equation 11, if n is odd, thenEquation 12 is achieved, thereby satisfyingEquation 13. Hence, if α2(n−1)/2 −1 has been computed by ignoring the cost of squaring, it takes only one multiplication to evaluate the inverse operation (Equation 11).
2n−1−1=(2(n−1)/2−1)(2(n−1)/2+1) (12)
α2n−1 −1=(α2(n−1)/2 −1)2(n−1)/2 +1 (13) - If n is even in
Equation 11, Equation 14 is satisfied. Consequently, if α2(n−2)/2 −1 has been computed, it takes only two multiplications to evaluate the inverse operation (Equation 11).
α2n−1 −1=α2(2(n−2 )/2 −1)(2(n−2)/2 +1)+1 (14) - The procedure of the inverse operation may be recursively repeated. This method requires I(n)=└log2 (n−1)┘+ω(n−1)−1 field multiplications, where ω(n−1) denotes the number of 1's (Hemming weight) in the binary representation of n−1.
- The hypothesis behind a Differential Power Analysis (DPA) attack is that the power tracks are correlated to the instructions that a cryptographic system is executing, as well as the values of the operands that a system in accordance with example embodiments is manipulating. Therefore, examination of the power tracks may reveal information on the instructions being executed and on the contents of data registers. In a case that the cryptographic system is executing a secret-key cryptographic operation, it may then be possible to deduce the secret key.
- In Simple Power Analysis (SPA) attacks, information on the secret key can be deduced directly by examining the power track from a single secret key operation. Implementations of EC point multiplication algorithms may be vulnerable because the usual formulas for adding and doubling points are quite different and therefore may have power tracks which can be distinguished. Any implementation where the execution path is determined by the secret key bits has potential vulnerability.
- DPA attacks exploit variations in power consumption that are correlated to the data values being manipulated. These variations are typically much smaller than those associated with different instruction sequences, and therefore may be obfuscated by noise and measurement errors. Statistical methods are used on a collection of power tracks in order to reduce the noise and strengthen the differential analysis.
- To counter an SPA attack, there are a number of different countermeasures. However, most SPA countermeasures are weak to the DPA attack. Though the DPA attack is relatively more complex as compared to the SPA attack and requires analysis of a substantial number of power tracks, it is still susceptible to leaking the secret information. The complexity of the DPA attack can be measured in terms of the requested number of power tracks and through calculation by hardware resources. Although the time requested to perform an automated DPA attack can range from couple of hours to several weeks, the DPA attack may still be applicable as a reasonable attack method.
- Even if a scalar multiplication is protected with an SPA-resistant method, for example, “Always double-and-add” and/or by a DPA-resistant method, for example, randomized projective coordinates, randomized elliptic curves or randomized field representations, for example, the scalar multiplication may still be vulnerable to a DPA attack in situations where a cryptanalyst can select the base point representation.
- Accordingly, the inventors propose a method of increasing the complexity of an attack to a more significant level. In the present example embodiment, values in a power track may be randomly changed by randomly changing the point representation during a scalar multiplication process. In a scalar multiplication process, in which the EC operation is executed over a plurality of rounds, encrypted points of randomly selected rounds may be converted to other points and processed.
-
FIG. 2 is a flowchart illustrating a scalar multiplication operation to encrypt an input point P according to an example embodiment of the present invention. Referring toFIG. 2 , a cryptographic system (as to be explained in further detail with regard toFIGS. 3 and 4 ) receives the input point P and a randomness rate r at S41. The input point P may represent input data to be encrypted, and the randomness rate r denotes a value for controlling a randomization level of the point representation during the scalar multiplication process. The randomness rate r can be set between 0 to 100% by a user. For example, a randomness rate r of 100% indicates that all of input and output points in the EC operation over a plurality of rounds are to be changed to different point representations. A randomness rate r of 60% indicates that only 60% of the input and output points in the EC operation over a plurality of rounds are to be changed to different point representations. Positions at which the input and output points are changed to the different point representations may be randomly determined. - The cryptographic system sets the received input point P to Q0 (S42), and as shown in S43 through S48, a finally encrypted output point Q may be generated by performing the EC operation over a plurality of rounds, and by randomly selecting the changed positions of the point representations. In other words, the cryptographic system receives a random position value r1 generated by a random number generator 220 (
FIG. 3 ) at S43, and compares the received random position value r1 with the randomness rate r (S44). The random position value r1 is randomly generated within a range of the randomness rate r in every round. If the randomness rate r is equal to or less than the random position value r1 of S44, the cryptographic system generates an encrypted point Qi by performing the EC operation of a subsequent round without a representation change of a point Qi−1 encrypted in the EC operation of a previous round (S45). In the EC operation, the scalar multiplication Qi=k·P(Qi−1)=P+P+ . . . +P(k times) is calculated from the point Qi-1 encrypted in the previous round and a corresponding secret key k using domain parameters a,b,n in GF(2n). The secret key k is generated by a given key generator, and the domain parameters a,b,n can be received from a given protected non-volatile memory. - If the randomness rate r is greater than the random position value r1 (output of S44 is ‘YES’), the cryptographic system receives a random selection value r2 generated by the
random number generator 220 and generates a changed point (S47) by converting the point Qi−1 encrypted in the EC operation of the previous round to a point representation directed by the random selection value r2. The random selection value r2 is generated to randomly select one of the plurality of point representations shown in Table 1 in each round. In this case, the cryptographic system generates the encrypted point Qi by applying the point representation-converted point to a subsequent round (S45). - According to functions S43 through S48, once all of the scalar multiplications are complete (e.g., output of S48 is ‘YES’), the finally encrypted output point Q is output (S49) to a post-processor of an upper layer.
-
FIG. 3 is a block diagram of acryptographic system 200 implementing the method ofFIG. 2 according to an example embodiment of the present invention. Referring toFIG. 3 , thecryptographic system 200 may include ascalar multiplication unit 210 configured to receive the input point P and the randomness rate r (see S41). Thesystem 200 may include arandom number generator 220 configured to randomly generate the random position value r1 and the random selection value r2 from the randomness rate r in every round. - The
scalar multiplication unit 210 may be adapted or configured to compare (S44) the randomness rate r with the random position value r1 and to select the input point P. If the randomness rate r is greater than the random position value r1 (output of S44 is ‘YES’), then the input point P selected by thescalar multiplication unit 210 is output to apoint representation converter 230 which is adapted to change its point representation. Thepoint representation converter 230 may be adapted to generate a changed point Qi′ by converting an input point Qi selected by the scalar multiplication unit 210 (S47) to a point representation directed by the random selection value r2. Thescalar multiplication unit 210 generates the encrypted output point Q by performing the EC operation based on the changed point Qi′ and a secret key of a corresponding round (S45). If the randomness rate r is equal to or less than the random position value r1 (output of S44 is ‘NO’), thescalar multiplication unit 210 generates the encrypted output point Q by performing the EC operation at S45 based on a point presentation of a previous round without the point representation change. - Likewise, before the EC operation of an output point encrypted in a previous round is performed in a subsequent round, the
scalar multiplication unit 210 compares the randomness rate r with the random position value r1, determines whether to change a point representation, selects a point before or after a corresponding round, and outputs the selected point to thepoint representation converter 230. Thepoint representation converter 230 may be configured so as to be “shared” to randomly convert the point representation, both before the EC operation and after the EC operation (S47) in every round. - The
scalar multiplication unit 210 randomly selects at least one of the input point P and points encrypted by the EC operation over a plurality of rounds, and applies a point obtained by changing a representation of the selected point to a subsequent round. The change of the point representation may be determined based on the randomness rate r and the random position value r1 generated by therandom number generator 220 in every round. The kind or type (see Table 1) of the changed point representation may be determined based on the random selection value r2 generated by therandom number generator 220 in every round. -
FIG. 4 is a block diagram of acryptographic system 300 implementing the cryptographic method ofFIG. 2 according to another example embodiment of the present invention. Referring toFIG. 4 , thesystem 300 may include a plurality ofEC operation units point representation converters random number generator 220 shown inFIG. 3 is also included but not shown for purposes of clarity. Unlike thepoint representation converter 230 that is shared before and after the EC operation inFIG. 3 , in thesystem 300, each givenpoint representation converter - The
system 300 receives the input point P and the randomness rate r (see S41 ofFIG. 2 ). The random position value r1 and the random selection value r2 are randomly generated by therandom number generator 220 from the randomness rate r in every round. - As shown in
FIG. 4 , a firstpoint representation converter 231 compares the randomness rate r with the random position value r1 before a first EC operation unit 211 (see S44 ofFIG. 2 ) and selects the input point P if the randomness rate r is greater than the random position value r1 (output of S44 is ‘YES’). The firstpoint representation converter 231 generates a changed point (S47) by converting the selected input point P to a point representation directed by the random selection value r2. The firstEC operation unit 211 generates an encrypted output point Q1 by performing the EC operation based on the changed point and a secret key k of a corresponding round. If the randomness rate r is equal to or less than the random position value r1 (output of S44 is ‘NO’), the firstpoint representation converter 231 outputs the input point P to the firstEC operation unit 211 without the point representation change. The firstEC operation unit 211 generates the encrypted output point Q1 at S45 by performing the EC operation based on the input point P and the secret key k of the corresponding round. - Likewise, before the EC operation of each of the output points Q1, Q2, . . . encrypted in a previous round is performed in a subsequent round, before and after each of the remaining
EC operation units point representation converters EC operation unit - Each of the plurality of
point representation converters - As described above, since the binary field ECC is performed by randomly changing point representations over a plurality of rounds based on the randomness rate r, the random position value r1 and the random selection value r2 during the scalar multiplication process, the cryptographic method and system according to example embodiments of the present invention may offer a powerful countermeasure against the DPA. For the random point representations, “Affine,” “Ordinary Projective,” “Jacobian Projective” and “Lopez-Dahab Projective” point representations can be used.
- Although described primarily in terms of hardware above, an example methodology implemented by one or more components of an example system described above may also be embodied in software as a computer program. For example, a program in accordance with example embodiments of the present invention may be a computer program product causing a computer to execute a method for encrypting input data by implementing the functionality as described in
FIG. 2 , for example. - The computer program product may include a computer-readable medium having computer program logic or code portions embodied thereon for enabling a processor of a system in accordance with example embodiments to perform one or more functions in accordance with an example methodology described above. The computer program logic may thus cause the processor to perform an example method, or one or more functions of an example method described herein.
- The computer-readable storage medium may be a built-in medium installed inside a computer main body or removable medium arranged so that it can be separated from the computer main body. Examples of the built-in medium include, but are not limited to, rewriteable non-volatile memories, for example, RAM, ROM, flash memories and hard disks. Examples of a removable medium may include, but are not limited to, optical storage media, for example, CD-ROMs and DVDs; magneto-optical storage media, for example, MOs; magnetism storage media, for example, floppy disks (trademark), cassette tapes, and removable hard disks; media with a built-in rewriteable non-volatile memory, for example, memory cards; and media with a built-in ROM, for example, ROM cassettes.
- These programs may also be provided in the form of an externally supplied propagated signal and/or a computer data signal embodied in a carrier wave. The computer data signal embodying one or more instructions or functions of an example methodology may be carried on a carrier wave for transmission and/or reception by an entity that executes the instructions or functions of an example methodology. For example, the functions or instructions of the example method as shown in
FIG. 2 may be implemented by processing one or more code segments of the carrier wave in a computer controlling one or more of the components of the example system in FIGS. 3 and/or 4, where instructions or functions may be executed for encrypting data, in accordance with the example method outlined in any ofFIGS. 2-4 . Further, such programs, when recorded on computer-readable storage media, may be readily stored and distributed. The storage medium, as it is read by a computer, may enable the encrypting of input data in accordance with an example method described herein. - The cryptographic method and system according to example embodiments of the present invention can set a performance degradation level corresponding to the number of changed point representations in the scalar multiplication process, while increasing the complexity of a power analysis attack by masking power tracks in the EC operation, so as not to be distinguished. Although the binary field ECC has been described in the above example embodiments, prime field ECC using an Extended Euclidian algorithm may be implemented with minor modifications, and in its implementation, may be configured to counter the Power Analysis attack.
- As described above, a cryptographic method and system according to example embodiments of the present invention can reduce the efficiency of DPA attacks by increasing entropy of power tracks based on randomly changed point representations. Also, since a user can control a randomness rate of the point representations, a performance degradation level and a security resistance level can be set. Accordingly, the cryptographic method and system may be applied to a crypto-system requiring robustness against DPA attacks and which also requires a high operation speed. In addition, the cryptographic method and system may be applicable to prime finite field ECC, through slight modifications and may be readily applied to any well-known crypto-algorithm.
- Example embodiments of the present invention being thus described, it will be obvious that the same may be varied in many ways. For example, the functional blocks of
FIGS. 2-4 describing an example system and/or method may be implemented in hardware and/or software. The hardware/software implementations may include a combination of processor(s) and article(s) of manufacture. The article(s) of manufacture may further include storage media and executable computer program(s). The executable computer program(s) may include the instructions to perform the described operations or functions. The computer executable program(s) may also be provided as part of externally supplied propagated signal(s). Such variations are not to be regarded as departure from the spirit and scope of example embodiments of the present invention, and all such modifications as would be obvious to one skilled in the art are intended to be included within the scope of the following claims.
Claims (28)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2005-0039095 | 2005-05-11 | ||
KR1020050039095A KR100891323B1 (en) | 2005-05-11 | 2005-05-11 | Method and apparatus to increase complexity of power analysis based on random point representation in binary field Elliptic Curve CryptographyECC |
Publications (2)
Publication Number | Publication Date |
---|---|
US20060280296A1 true US20060280296A1 (en) | 2006-12-14 |
US7853013B2 US7853013B2 (en) | 2010-12-14 |
Family
ID=37524116
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/431,552 Active 2029-10-14 US7853013B2 (en) | 2005-05-11 | 2006-05-11 | Cryptographic method and system for encrypting input data |
Country Status (3)
Country | Link |
---|---|
US (1) | US7853013B2 (en) |
KR (1) | KR100891323B1 (en) |
DE (1) | DE102006022960B9 (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030059042A1 (en) * | 2000-05-30 | 2003-03-27 | Katsuyuki Okeya | Elliptic scalar multiplication system |
US20050169462A1 (en) * | 2003-12-20 | 2005-08-04 | Samsung Electronics Co. Ltd. | Cryptographic method capable of protecting elliptic curve code from side channel attacks |
US20080049931A1 (en) * | 2006-03-04 | 2008-02-28 | Samsung Electronics Co., Ltd. | Cryptographic methods including montgomery power ladder algorithms |
US20080285743A1 (en) * | 2005-03-31 | 2008-11-20 | Kaoru Yokota | Data Encryption Device and Data Encryption Method |
US20090016523A1 (en) * | 2007-07-12 | 2009-01-15 | Atmel Corporation | Masking and Additive Decomposition Techniques for Cryptographic Field Operations |
US20090041229A1 (en) * | 2007-08-07 | 2009-02-12 | Atmel Corporation | Elliptic Curve Point Transformations |
GB2453367A (en) * | 2007-10-04 | 2009-04-08 | Univ Newcastle | Cryptographic processing using isomorphic mappings of Galois fields |
US20090180611A1 (en) * | 2008-01-15 | 2009-07-16 | Atmel Corporation | Representation change of a point on an elliptic curve |
US20100049777A1 (en) * | 2008-08-25 | 2010-02-25 | Kabushiki Kaisha Toshiba | Representation converting apparatus, arithmetic apparatus, representation converting method, and computer program product |
US20100329454A1 (en) * | 2008-01-18 | 2010-12-30 | Mitsubishi Electric Corporation | Encryption parameter setting apparatus, key generation apparatus, cryptographic system, program, encryption parameter setting method, and key generation method |
US8233615B2 (en) | 2008-01-15 | 2012-07-31 | Inside Secure | Modular reduction using a special form of the modulus |
US20140164767A1 (en) * | 2012-12-10 | 2014-06-12 | Xiaoyu Ruan | Methods and apparatus for device authentication with one-time credentials |
US20190004770A1 (en) * | 2017-06-29 | 2019-01-03 | Intel Corporation | Mixed-coordinate point multiplication |
US10693625B2 (en) * | 2016-11-25 | 2020-06-23 | Samsung Electronics Co., Ltd. | Security processor, application processor including the same, and operating method of security processor |
WO2024025674A1 (en) * | 2022-07-28 | 2024-02-01 | Kinsey Brax | Digital forge systems and methods |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1844392B1 (en) | 2005-01-21 | 2012-07-04 | Certicom Corp. | Elliptic curve random number generation |
FR2926652B1 (en) * | 2008-01-23 | 2010-06-18 | Inside Contactless | COUNTER-MEASUREMENT METHOD AND DEVICES FOR ASYMMETRIC CRYPTOGRAPHY WITH SIGNATURE SCHEMA |
US8581755B2 (en) * | 2010-01-20 | 2013-11-12 | Rambus Inc. | Multiple word data bus inversion |
US8861721B2 (en) * | 2012-12-26 | 2014-10-14 | Umm Al-Qura University | System and method for securing scalar multiplication against simple power attacks |
US8804952B2 (en) * | 2012-12-26 | 2014-08-12 | Umm Al-Qura University | System and method for securing scalar multiplication against differential power attacks |
US20170134379A1 (en) * | 2014-06-16 | 2017-05-11 | Polyvalor, Limted Partnership | Method for securing an application and data |
KR101981621B1 (en) | 2017-12-11 | 2019-08-28 | 국민대학교산학협력단 | System and Method for Key bit Parameter Randomizating of public key cryptography |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6088798A (en) * | 1996-09-27 | 2000-07-11 | Kabushiki Kaisha Toshiba | Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein |
US6611597B1 (en) * | 1999-01-25 | 2003-08-26 | Matsushita Electric Industrial Co., Ltd. | Method and device for constructing elliptic curves |
US20040228484A1 (en) * | 2003-03-27 | 2004-11-18 | Ryogo Yanagisawa | Public key generation apparatus, shared key generation apparatus, key exchange apparatus, and key exchanging method |
US20050021941A1 (en) * | 2001-09-27 | 2005-01-27 | Motoji Ohmori | Encryption device a decrypting device a secret key generation device a copyright protection system and a cipher communication device |
US20050036606A1 (en) * | 2003-07-25 | 2005-02-17 | Microsoft Corporation | Weil and Tate pairing techniques using parabolas |
US20070177721A1 (en) * | 2003-07-22 | 2007-08-02 | Fujitsu Limited | Tamper-proof elliptic encryption with private key |
US20070189527A1 (en) * | 2005-01-21 | 2007-08-16 | Brown Daniel R L | Elliptic curve random number generation |
US7298839B2 (en) * | 2003-07-25 | 2007-11-20 | Microsoft Corporation | Squared Weil and Tate pairing techniques for use with elliptic curves |
US20080219437A1 (en) * | 2007-03-07 | 2008-09-11 | Nevine Maurice Nassif Ebeid | Method and Apparatus for Performing Elliptic Curve Scalar Multiplication in a Manner that Counters Power Analysis Attacks |
US7680270B2 (en) * | 2002-10-26 | 2010-03-16 | The Additional Director (Ipr), Defence Research & Development Organisation | System for elliptic curve encryption using multiple points on an elliptic curve derived from scalar multiplication |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003098962A (en) | 2001-09-20 | 2003-04-04 | Hitachi Ltd | Method and device for calculating elliptic curve scalar multiple, and recording medium |
JP2003216026A (en) | 2002-01-18 | 2003-07-30 | Sony Corp | Method and device for enciphering elliptic curve and computer program |
KR100451570B1 (en) | 2002-10-29 | 2004-10-08 | (주)미래스멕스 | Method and apparatus for implementing elliptic curve cryptosystem resisting against simple power attacks |
JP2004163687A (en) | 2002-11-13 | 2004-06-10 | Fujitsu Ltd | Device and program for elliptic curve ciphering |
DE20217616U1 (en) * | 2002-11-13 | 2003-02-20 | Univ Darmstadt Tech | Cryptographic apparatus such as a smart card with implementation of point multiplication on elliptical curves resistant to side channel effects |
JP4423900B2 (en) | 2003-08-05 | 2010-03-03 | 株式会社日立製作所 | Scalar multiplication calculation method, apparatus and program for elliptic curve cryptography |
-
2005
- 2005-05-11 KR KR1020050039095A patent/KR100891323B1/en active IP Right Grant
-
2006
- 2006-05-11 US US11/431,552 patent/US7853013B2/en active Active
- 2006-05-11 DE DE102006022960A patent/DE102006022960B9/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6088798A (en) * | 1996-09-27 | 2000-07-11 | Kabushiki Kaisha Toshiba | Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein |
US6611597B1 (en) * | 1999-01-25 | 2003-08-26 | Matsushita Electric Industrial Co., Ltd. | Method and device for constructing elliptic curves |
US20040098436A1 (en) * | 1999-01-25 | 2004-05-20 | Yuichi Futa | Method and device for constructing elliptical curves |
US20050021941A1 (en) * | 2001-09-27 | 2005-01-27 | Motoji Ohmori | Encryption device a decrypting device a secret key generation device a copyright protection system and a cipher communication device |
US7680270B2 (en) * | 2002-10-26 | 2010-03-16 | The Additional Director (Ipr), Defence Research & Development Organisation | System for elliptic curve encryption using multiple points on an elliptic curve derived from scalar multiplication |
US20040228484A1 (en) * | 2003-03-27 | 2004-11-18 | Ryogo Yanagisawa | Public key generation apparatus, shared key generation apparatus, key exchange apparatus, and key exchanging method |
US20070177721A1 (en) * | 2003-07-22 | 2007-08-02 | Fujitsu Limited | Tamper-proof elliptic encryption with private key |
US20050036606A1 (en) * | 2003-07-25 | 2005-02-17 | Microsoft Corporation | Weil and Tate pairing techniques using parabolas |
US7298839B2 (en) * | 2003-07-25 | 2007-11-20 | Microsoft Corporation | Squared Weil and Tate pairing techniques for use with elliptic curves |
US20080137839A1 (en) * | 2003-07-25 | 2008-06-12 | Microsoft Corporation | Squared Weil and Tate Pairing Techniques for Use with Elliptic Curves |
US20070189527A1 (en) * | 2005-01-21 | 2007-08-16 | Brown Daniel R L | Elliptic curve random number generation |
US20080219437A1 (en) * | 2007-03-07 | 2008-09-11 | Nevine Maurice Nassif Ebeid | Method and Apparatus for Performing Elliptic Curve Scalar Multiplication in a Manner that Counters Power Analysis Attacks |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7308096B2 (en) * | 2000-05-30 | 2007-12-11 | Hitachi, Ltd. | Elliptic scalar multiplication system |
US20030059042A1 (en) * | 2000-05-30 | 2003-03-27 | Katsuyuki Okeya | Elliptic scalar multiplication system |
US7676037B2 (en) * | 2003-12-20 | 2010-03-09 | Samsung Electronics Co., Ltd. | Cryptographic method capable of protecting elliptic curve code from side channel attacks |
US20050169462A1 (en) * | 2003-12-20 | 2005-08-04 | Samsung Electronics Co. Ltd. | Cryptographic method capable of protecting elliptic curve code from side channel attacks |
US20080285743A1 (en) * | 2005-03-31 | 2008-11-20 | Kaoru Yokota | Data Encryption Device and Data Encryption Method |
US8094811B2 (en) * | 2005-03-31 | 2012-01-10 | Panasonic Corporation | Data encryption device and data encryption method |
US20080049931A1 (en) * | 2006-03-04 | 2008-02-28 | Samsung Electronics Co., Ltd. | Cryptographic methods including montgomery power ladder algorithms |
US8379842B2 (en) * | 2006-03-04 | 2013-02-19 | Samsung Electronics Co., Ltd. | Cryptographic methods including Montgomery power ladder algorithms |
US20090016523A1 (en) * | 2007-07-12 | 2009-01-15 | Atmel Corporation | Masking and Additive Decomposition Techniques for Cryptographic Field Operations |
US8559625B2 (en) | 2007-08-07 | 2013-10-15 | Inside Secure | Elliptic curve point transformations |
US20090041229A1 (en) * | 2007-08-07 | 2009-02-12 | Atmel Corporation | Elliptic Curve Point Transformations |
GB2453367A (en) * | 2007-10-04 | 2009-04-08 | Univ Newcastle | Cryptographic processing using isomorphic mappings of Galois fields |
US20100208885A1 (en) * | 2007-10-04 | 2010-08-19 | Julian Philip Murphy | Cryptographic processing and processors |
US8233615B2 (en) | 2008-01-15 | 2012-07-31 | Inside Secure | Modular reduction using a special form of the modulus |
TWI462010B (en) * | 2008-01-15 | 2014-11-21 | Inside Secure | Cryptographic method and system using a representation change of a point on an elliptic curve |
US20090180611A1 (en) * | 2008-01-15 | 2009-07-16 | Atmel Corporation | Representation change of a point on an elliptic curve |
US8619977B2 (en) * | 2008-01-15 | 2013-12-31 | Inside Secure | Representation change of a point on an elliptic curve |
US8401179B2 (en) * | 2008-01-18 | 2013-03-19 | Mitsubishi Electric Corporation | Encryption parameter setting apparatus, key generation apparatus, cryptographic system, program, encryption parameter setting method, and key generation method |
US20100329454A1 (en) * | 2008-01-18 | 2010-12-30 | Mitsubishi Electric Corporation | Encryption parameter setting apparatus, key generation apparatus, cryptographic system, program, encryption parameter setting method, and key generation method |
US8533243B2 (en) * | 2008-08-25 | 2013-09-10 | Kabushiki Kaisha Toshiba | Representation converting apparatus, arithmetic apparatus, representation converting method, and computer program product |
US20100049777A1 (en) * | 2008-08-25 | 2010-02-25 | Kabushiki Kaisha Toshiba | Representation converting apparatus, arithmetic apparatus, representation converting method, and computer program product |
US20140164767A1 (en) * | 2012-12-10 | 2014-06-12 | Xiaoyu Ruan | Methods and apparatus for device authentication with one-time credentials |
US9215069B2 (en) * | 2012-12-10 | 2015-12-15 | Intel Corporation | Methods and apparatus for device authentication with one-time credentials |
US10693625B2 (en) * | 2016-11-25 | 2020-06-23 | Samsung Electronics Co., Ltd. | Security processor, application processor including the same, and operating method of security processor |
US20190004770A1 (en) * | 2017-06-29 | 2019-01-03 | Intel Corporation | Mixed-coordinate point multiplication |
US10635404B2 (en) * | 2017-06-29 | 2020-04-28 | Intel Corporation | Mixed-coordinate point multiplication |
WO2024025674A1 (en) * | 2022-07-28 | 2024-02-01 | Kinsey Brax | Digital forge systems and methods |
Also Published As
Publication number | Publication date |
---|---|
KR20060116612A (en) | 2006-11-15 |
DE102006022960B9 (en) | 2013-06-27 |
DE102006022960A1 (en) | 2007-01-04 |
KR100891323B1 (en) | 2009-03-31 |
US7853013B2 (en) | 2010-12-14 |
DE102006022960B4 (en) | 2013-04-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7853013B2 (en) | Cryptographic method and system for encrypting input data | |
US7903811B2 (en) | Cryptographic system and method for encrypting input data | |
Dall et al. | Cachequote: Efficiently recovering long-term secrets of SGX EPID via cache attacks | |
Bauer et al. | Horizontal collision correlation attack on elliptic curves: –Extended Version– | |
Acıiçmez et al. | New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures | |
US7536011B2 (en) | Tamper-proof elliptic encryption with private key | |
Strenzke et al. | Side channels in the McEliece PKC | |
Izu et al. | Improved elliptic curve multiplication methods resistant against side channel attacks | |
US7065788B2 (en) | Encryption operating apparatus and method having side-channel attack resistance | |
Hasan | Power analysis attacks and algorithmic approaches to their countermeasures for Koblitz curve cryptosystems | |
US20080260143A1 (en) | Xz-elliptic curve cryptography with secret key embedding | |
US20090136025A1 (en) | Method for scalarly multiplying points on an elliptic curve | |
KR20100113130A (en) | Countermeasure method and devices for asymmetric cryptography | |
KR100652377B1 (en) | A modular exponentiation algorithm, a record device including the algorithm and a system using the algorithm | |
US8553878B2 (en) | Data transformation system using cyclic groups | |
Koppermann et al. | 18 seconds to key exchange: Limitations of supersingular isogeny Diffie-Hellman on embedded devices | |
US7916860B2 (en) | Scalar multiplication apparatus and method | |
US11824986B2 (en) | Device and method for protecting execution of a cryptographic operation | |
Abarzúa et al. | Survey on performance and security problems of countermeasures for passive side-channel attacks on ECC | |
Dubeuf et al. | ECDSA passive attacks, leakage sources, and common design mistakes | |
Fouque et al. | Defeating countermeasures based on randomized BSD representations | |
US20060274894A1 (en) | Method and apparatus for cryptography | |
Ming et al. | Revealing the weakness of addition chain based masked SBox implementations | |
Coron et al. | Improved Gadgets for the High-Order Masking of Dilithium | |
KR100564599B1 (en) | Inverse calculation circuit, inverse calculation method, and storage medium encoded with computer-readable computer program code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VASYLTSOV, IHOR;SON, HEE-KWAN;BAEK, YOO-JIN;REEL/FRAME:018158/0682 Effective date: 20060803 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |